Datonomy has been reading the draft report of Rapporteur Jan Philipp Albrecht on the proposed Data Protection Regulations – all 215 pages of it! The full report (available here) was discussed today by the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament and although it is not binding on the Committee or on the Parliament itself, it will carry significant weight during the upcoming negotiation phase of the draft Regulation.
What is clear from the report is that both the Commission and the Rapporteur are strongly supportive of radical reform to the current data protection regime. After the report was published Vivianne Reding, EC Commissioner for justice, fundamental rights and citizenship, tweeted that she is “looking forward to swift adoption by both EP [the European Parliament] and Council” of the new data protection regulation. Momentum is building.
- A proposal to extend the period within which controllers have to notify data breach (to their data protection regulator) from 24 hours, as originally proposed, to 72 hours. This is a welcome change though the requirement that notification must be made “without delay” remains (recital 67, Article 31).
- There has been much discussion of “notification fatigue”. In the US where breach notification laws have been in place in most States for several years, consumers are plagued with breach notifications and, so the argument goes, are less likely to pay attention when notified of a serious breach. To address this, the Rapporteur has proposed clarifying that affected individuals need only be notified where the personal data breach is likely to adversely affect the protection of personal data or privacy of the data subject “for example in cases of identity theft or fraud, physical harm, significant humiliation or damage to reputation” (article 32).
- The controversial “right to be forgotten” and “data portability” rights receive broad support (OK, not so helpful). However, more helpfully the Rapporteur has proposed that the right to demand erasure of data and be forgotten should apply only where the data was made public “without legal justification” (recital 54) so would not apply for example where an individual has agreed to publication. Any broader right to be forgotten is “neither realistic nor legitimate” according to the Rapporteur.
- No real change to the very broad concepts of personal data. Where a natural person can be identified from the data by any person (i.e. not just the data controller), then the data is personal data. So, IP addresses of a company monitoring hits to its website would be personal data, even if the company has no means of linking that data to an individual on the basis that an ISP somewhere in the world would be able to make the link. (see article 4(1) and recitals 23 and 24).
- A narrowing of the broad “legitimate interests” justification for processing personal data. This justification should apply “in exceptional circumstances” (recital 38). The Rapporteur has also attempted to define the circumstances where “as a rule” processing will be justified as legitimate and where “as a rule” processing would be unwarranted due to the interests or fundamental rights and freedoms of the data subject taking precedence. (see new proposed Articles 6(1)). If a controller wants to rely on this justification it must also “publish reasons for believing that its [legitimate] interests override the interests … of the data subject”. In the UK the legitimate interests justification is one of the most often relied upon to legitimise processing – the proposed amendments would require a paradigm shift in terms of how controllers seek to justify processing if they become law.
- No change to the requirement that when relying on consent as a justification for processing, the consent must be “explicit”. The net result of the narrowing of the legitimate interests justification and consent justification is that it will be much harder for controllers to justify processing of personal data.
- No real change to the requirement for data controllers to appoint a Data Protection Officer. Under the current regime in the UK, there is no such requirement – instead controllers just have to notify the ICO and pay a fee of £35, or £500 if they have more than 250 staff. Under the draft Regulation, the notification requirement is replaced with an obligation to appoint a Data Protection Officer. The Commission proposed a threshold of 250 employees. The Rapporteur has proposed an alternative threshold of 500 data subjects per year (arguably an even lower threshold). The net result is that the current notification cost of £35 is likely to be replaced with a requirement to appoint a DPO costing business thousands if not tens of thousands each year.
- The very significant anti-trust style fines for infringing the requirements of the Regulation (up to 2% of annual worldwide turnover) are largely unchanged though trying to charge a data subject to access their personal data is promoted from a maximum fine of 0.5% turnover to 1% turnover due to its “chilling effect on data subjects”. (article 79(5)). The proposed fines certainly make the blood run cold.
Overall, the report is not helpful for business at a time when Europe needs all the help it can get to stimulate growth. It is a missed opportunity to cure some of the many shortcomings of the draft Regulation.
Datonomy will be keeping a close eye on the progress of the draft Regulation this year. Watch this space.